I guess I was so consumed with getting the client side of the application to be authenticated with JAAS that I focused on the remoting subsystem. It makes sense that any HornetQ security would be defined within the messaging subsystem.